Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Total Security Malware


  • This topic is locked This topic is locked
2 replies to this topic

#1 kmorris_99

kmorris_99

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:48 AM

Posted 07 September 2009 - 05:37 PM

My laptop recently (two days ago) started popping up warnings that say "your computer is infected with 38 viruses) blah, blah, blah. Boxes pop up from Total Security showing a fake scan totaling to 38 infections of spyware, and telling me to download anit-virus protection from them. I did some research online and found that Total Security is a malware. I then came to this website and did a search of the forums to find a fix. I found an uninstall guide for Total Security and attempted to follow the instructions. I downloaded Process Explorer, renamed it to iexplorer.exe, ran it, and looked for the program TSC.exe to disable it, but it did not show up like described in the guide. I went ahead and downloaded the Malwarebytes Anti-Malware as directed. When I told it to Scan, it scanned for about 4 seconds then just went away. When I try to run it again, I get an error message that says, "Windows can not access the specified devic, path, or file. You may not have the appropriate permissions to access the item."
I had AVG 7.5 on my laptop prior to this. When this happened I downloaded AVG 8.5. I have tried many times now to update this, as it shows the last update was 06 June, 2009, but when I do, it just sits there, and I eventually get an error message that says something to the effect that the system could not perform the task because AVG.exe is infected with spyware.
My desktop has changd from my normal desktop to one that is totally white, with my normal icaons, and a big message that says "Active Desktop Recovery" followed by instructions on how to recover my desktop, nonw of which work.
I can not get into File Manager; it appears Total Security will not let me. Says I don't have permission.
What next? Thank you for your help!

Kelly


DDS (Ver_09-07-30.01) - NTFSx86
Run by Kelly at 15:52:35.12 on Mon 09/07/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.66 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\DOCUME~1\Kelly\LOCALS~1\Temp\a.exe
C:\WINDOWS\msa.exe
C:\Documents and Settings\Kelly\Desktop\dds.scr
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqladmin.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: Taskman=c:\recycler\s-1-5-21-5581390933-9891925640-267851722-0540\msimfo32.exe
BHO: c:\windows\system32\tajf83ikdmf.dll: {bf56a325-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\tajf83ikdmf.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AntiSpyware Service] c:\docume~1\kelly\locals~1\temp\hmjov9na.exe
uRun: [Monopod] c:\docume~1\kelly\locals~1\temp\a.exe
uRun: [Windows System Recover!] c:\docume~1\kelly\locals~1\temp\services.exe
uRun: [NordBull] c:\windows\msa.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe
mRun: [iTunesHelper] c:\program files\itunes\iTunesHelper.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0\bin\jusched.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Version Cue CS2] "c:\program files\adobe\adobe version cue cs2\controlpanel\VersionCueCS2Tray.exe"
mRun: [winupdate.exe] c:\windows\system32\winupdate.exe
mRun: [dewibunaw] Rundll32.exe "c:\windows\system32\vagiwara.dll",a
mRun: [12232964] c:\documents and settings\all users\application data\12232964\12232964.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [tisisezino] Rundll32.exe "c:\windows\system32\dewokawo.dll",s
mRun: [braviax] braviax.exe
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
dRun: [Advanced Virus Remover] c:\program files\advancedvirusremover\PAVRM.exe
dRun: [AntiSpyware Service] c:\windows\temp\yxpq4q907.exe
dRun: [Windows System Recover!] c:\windows\temp\winlogon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dvdche~1.lnk - c:\program files\intervideo\dvd check\DVDCheck.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: EnableProfileQuota = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\winhelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - c:\windows\system32\BTXPPanel.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\windows\system32\cru629.dat
SSODL: ronivufaw - {61ca9251-7b46-4bad-92e4-4bbb1d2f22c6} - c:\windows\system32\vagiwara.dll
STS: c:\windows\system32\tajf83ikdmf.dll: {bf56a325-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\tajf83ikdmf.dll
STS: jugezatag: {61ca9251-7b46-4bad-92e4-4bbb1d2f22c6} - c:\windows\system32\vagiwara.dll
LSA: Notification Packages = scecli c:\windows\system32\kohisiva.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-22 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-4-10 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-22 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-22 298776]
R2 Maxtor Sync Service;Maxtor Service;c:\program files\maxtor\sync\SyncServices.exe [2007-9-28 156976]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-5-22 908568]

=============== Created Last 30 ================

2009-09-07 11:17 <DIR> --d----- c:\docume~1\kelly\applic~1\Malwarebytes
2009-09-07 11:17 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-07 11:16 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-09-07 11:16 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-07 11:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-07 10:50 0 a------- c:\windows\system32\18467.exe
2009-09-07 10:36 <DIR> --d-h--- C:\BJPrinter
2009-09-07 10:36 6,656 a------- c:\windows\system32\CNMVS56.DLL
2009-09-07 10:36 107,008 a------- c:\windows\system32\CNMLM56.DLL
2009-09-07 10:32 25,856 ac------ c:\windows\system32\dllcache\usbprint.sys
2009-09-07 10:32 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2009-09-07 09:50 0 a------- c:\windows\system32\41.exe
2009-09-07 09:18 88,064 a--sh--- c:\windows\system32\wimesabi.dll
2009-09-07 09:18 49,664 a--sh--- c:\windows\system32\zoweduda.dll
2009-09-07 09:18 37,888 a--sh--- c:\windows\system32\yigekote.dll
2009-09-06 19:49 49,664 a------- c:\windows\system32\jahiyaso.dll
2009-09-06 19:40 37,888 a------- c:\windows\system32\jogihuju.dll
2009-09-05 12:23 <DIR> --d----- c:\docume~1\kelly\applic~1\dtuser
2009-09-05 11:44 105,152 a--sh--- c:\windows\system32\notugaji.exe
2009-09-05 11:44 18,696 a--sh--- c:\windows\system32\zedomoje.dll
2009-09-05 11:44 50,176 a------- c:\windows\system32\pawovuda.dll
2009-09-05 11:44 50,176 ---sh--- c:\windows\system32\musebehi.dll
2009-09-05 11:44 24,490 a--sh--- c:\windows\system32\fipufola.exe
2009-09-04 08:44 <DIR> --d----- c:\program files\AdvancedVirusRemover
2009-09-04 08:43 149,504 a------- c:\windows\msa.exe
2009-09-04 08:42 20,992 a------- c:\windows\system32\winhelper.dll
2009-09-04 08:42 831 a------- c:\windows\system32\critical_warning.html
2009-09-04 08:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\12232964
2009-09-04 08:42 24,491 a------- c:\windows\system32\winupdate.exe
2009-09-04 08:39 6,144 a------- c:\windows\system32\cru629.dat
2009-09-04 08:39 6,144 a------- c:\windows\cru629.dat
2009-09-04 08:39 10,752 a------- c:\windows\braviax.exe
2009-09-04 08:37 46 a------- C:\p2hhr.bat
2009-09-04 08:33 15,000 a------- c:\windows\system32\tajf83ikdmf.dll
2009-09-04 08:33 103,424 a------- C:\xvhu.exe
2009-09-04 08:33 9,728 a------- C:\fyblb.exe
2009-09-04 08:33 17,920 a------- C:\osps.exe
2009-09-04 08:33 49,152 a------- C:\hpbyv.exe
2009-09-04 08:33 190,333 a------- c:\windows\system32\wisdstr.exe
2009-09-04 08:33 22,016 a------- C:\emxtqjit.exe
2009-09-04 08:33 10,752 a------- c:\windows\system32\braviax.exe
2009-09-04 08:33 77,824 a------- c:\windows\system32\~.exe
2009-09-04 05:00 24,490 a------- c:\windows\system32\jusirodo.exe
2009-09-04 03:11 831,524 a------- c:\windows\system32\gayujoje.exe
2009-09-02 16:38 <DIR> --d----- c:\program files\common files\Adobe Systems Shared
2009-08-18 10:44 0 a--sh--- C:\-396046036
2009-08-13 09:15 <DIR> --d----- c:\windows\ServicePackFiles
2009-08-09 17:19 <DIR> --d----- c:\windows\system32\XPSViewer
2009-08-09 17:17 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-09 17:17 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-09 17:17 117,760 -------- c:\windows\system32\prntvpt.dll
2009-08-09 17:17 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-09 17:17 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-08-09 17:17 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-08-09 17:17 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-08-09 17:17 <DIR> --d----- C:\6bcc6c83e675b085cb2cdcdf

==================== Find3M ====================

2009-09-04 08:42 831,524 a--sh--- c:\windows\system32\tatetimo.exe
2009-09-04 08:42 88,064 a--sh--- c:\windows\system32\vagiwara.dll
2009-09-04 08:42 24,490 a--sh--- c:\windows\system32\nelufuyu.exe
2009-09-04 08:42 37,888 a--sh--- c:\windows\system32\kirenalo.dll
2009-09-04 08:33 28,672 a------- c:\windows\system32\drivers\beep.sys
2009-08-05 03:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 12:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 02:18 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-07-03 11:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-16 08:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 08:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-12 05:50 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 08:21 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 00:32 132,096 a------- c:\windows\system32\wkssvc.dll

============= FINISH: 15:56:47.03 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 10 September 2009 - 12:16 PM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".
After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..




NEXT


Please save this file to your Desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

Edited by fenzodahl512, 10 September 2009 - 12:17 PM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 15 September 2009 - 12:09 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users